Four unpatched Windows zero-day vulnerabilities have been disclosed just days after monthly ... [+]
Just days after the monthly Patch Tuesday Windows security update, unpatched system file zero-day vulnerabilities have been publicly disclosed.
Every month, Microsoft fixes a bunch of security vulnerabilities across the product range on Patch Tuesday. The latest round of fixes has already been and gone, addressing a total of 111 security vulnerabilities. Some sixteen of these were rated as critical, and, crucially, there were no zero-days.
A zero-day vulnerability is one that remains unpatched by the vendor, leaving a window of opportunity for those who would exploit it using a zero-day attack. That's the good news. The bad news is that no less than four new zero-days affecting Microsoft Windows have now been publicly disclosed. Three of them impact a core Windows system file.
Trend Micro's Zero Day Initiative (ZDI) is a bug bounty program founded in 2005 which encourages the reporting of zero-day vulnerabilities by financially rewarding security researchers. "We make every effort to work with vendors to ensure they understand the technical details and severity of a reported security flaw, which leaves researchers free to go find other bugs," the about ZDI page states.
It also says that no technical details about any vulnerability are made public until the vendor has released a patch. ZDI gives vendors a 120-day window in which to address the vulnerability, after which a "limited advisory," which includes mitigation advice, is published if a patch has not been forthcoming.
What are the four Windows zero-day vulnerabilities that have now been confirmed?
The Microsoft Windows zero-days that were publicly disclosed in such a fashion on May 19 mostly impact a core Windows system file called splwow64.exe, which is a printer driver host for 32-bit apps. The Spooler Windows OS (Windows 64-bit) executable enables 32-bit applications to be compatible with a 64-bit Windows system. CVE-2020-0915, CVE-2020-0916 and CVE-2020-0986 all impact that splwow64 Windows system file. All three are classified as high on the CVE severity scoring system with a 7.0 rating.
If exploited by an attacker, these vulnerabilities would allow them to escalate privileges on the targeted Windows computer. "The specific flaw exists within the user-mode printer driver host process splwow64.exe. The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer," the ZDI advisory states, "An attacker can leverage this vulnerability to escalate privileges from low integrity and execute code in the context of the current user at medium integrity."
In mitigation, and why these have not been rated as critical severity, that attacker must first have obtained the ability to execute "low-privileged code" on the target computer.
Microsoft closes the case on one unpatched vulnerability
The last of the zero-day vulnerabilities publicly disclosed by ZDI does not have a CVE number, only a ZDI one of ZDI-20-666. This is another privilege escalation vulnerability, but this time within the handling of WLAN connection profiles. An attacker would have to create a malicious profile that would then enable them to disclose credentials for that computer account, which can then be leveraged in an exploit. Although also rated high by ZDI, this vulnerability was not determined to be severe enough for fixing "in the current version" by Microsoft, which closed the case without providing a patch.
"For ZDI-20-666, Microsoft felt the mitigating factors in the case justified them not releasing a security patch and instead look to possibly fix the bug in a future version of Windows," ZDI senior director, Brian Gorenc says, "specifically, an attacker would need both a domain-joined machine and a rogue access point. ZDI feels this is a common enough scenario to deserve servicing through a security patch."
Although the other vulnerabilities, all of which were reported to Microsoft by ZDI in December, were not fixed in the most recent Patch Tuesday rollout, a beta patch was made available to ZDI for testing earlier this month. ZDI confirmed that the beta patch tested successfully in fixing the vulnerability on May 12 but communicated an "intent to publish the reports as 0-day" because the deadline extension options had expired. It is currently unknown as to when that fix will be made available to Windows users.
Mitigation advice is limited at this stage
The mitigation advice included in the ZDI limited advisory disclosures for the three splwow64.exe zero-day vulnerabilities states that: "Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it."
"We do expect the bugs impacting splwow64 to receive patches in the June Patch Tuesday release," Gorenc told me, adding "restricting access to that service is the best method to prevent attacks until a patch is available. However, this will have impacts on print functionality and may not be appropriate for all users."
I have reached out to Microsoft for further information, including additional mitigation advice and clarification of which version of Windows are impacted by these vulnerabilities and will update this article once I have any more information to add.
— updated May 26 with comments from ZDI
